Free Download Scams – by far the most common scam exploits the controversy around the $9.99 paywall. Scammers have created hundreds of fake social media accounts advertising free downloads or “hacks” to get around the paywall. Some of these accounts boast thousands of followers (see below for screenshots). All involve entering some very questionable URL or shortened link on your phone and downloading the locked levels.

Free Coin Scams – the in-game currency of the game is coins that Mario picks up along his travels. Once again, they advertise shortened and suspicious links to claim the dubious prize.

Hashtag Hijacking – some accounts don’t purport to give you free stuff around Super Mario Run, they simply hijack trending Mario hashtags to advertise their otherwise scammy links (“watch Rogue One free now!”). The popularity of the game is such that even non-Super Mario Run accounts are picking up its language and hashtags to spread their malicious content.

So what do all the links do? It seems to span the gambit, but you guessed it, it’s nothing good. Most of them, about three fourths, redirect to phishing pages that attempt to extort users into providing financial information. Some of them go to slightly more benign pages like ad farms and run of the mill spam sites.

The most prominent group of links, just over 70% of them, lead to variants of #####.getmariorun.com. After landing at this site, victims are presented with a banner giving them the opportunity to “Unlock Full Game Free!”, and then are finally redirected to a survey site asking for credit card information and other PII. These phishing pages claim the only way to get the “free” levels is to put in the sensitive information.

Many links redirect to survey sites asking for credit card info and other PII.

So far, the automated ZeroFOX Platform has identified 341 malicious accounts (and growing), disseminating as many or more unique malicious links. The nature of social media is such that these numbers may be drastically different by this evening. They may be different within 5 minutes. The only thing we can say for certain is that they’re on the rise. Many of the accounts have been live since as early as late November, before the game was first released. Even if a fraudulent account gets taken down, building a new one takes only 10 minutes and a coffee-shop internet connection.

Although the payload ends up on your mobile device, it’s on social media where these scams live and flourish. Scammers advertise their wares on social so they don’t need to submit anything to the mobile app stores, which are tightly monitored. As such, they fall out of the purview of many external mobile threat monitoring services. Because the scammers urge you to click the link directly from YouTube, Instagram, Facebook or Twitter, the malicious content opens in a standard web browser. This is not a good sign and bypasses many security protocols built into the phone and the app stores.

The rule of thumb with these scams is obvious: don’t click them under any circumstance. Even in YouTube videos demonstrating how well the “hack” works, the scammer reveals the URL redirecting countless times and triggering all sort of warning within the phone. Of course, you’re told to ignore them. At the end of the day, you’ll download unknown content from outside a monitored app store. It should go without saying that this is never a good idea. It can lead to a variety of things, but you can be sure it’s not unlocked levels.